Sophos UTM 9.707-5 - Let’s Encrypt failed: Failed to retrieve the current Terms of Service link

Hello, 

I appear to be having issues trying to renew LE Certificates. This started a few days ago (when due for renewal) and initially I did come to this forum for answers and found that one post suggested to update to the latest UTM version. I'm now up to 9.707-5 but still have the same issue. 

Patterns also up to date:

Current pattern version: 204063
Latest available pattern version: 204063

It appears to be related to being unable to find the TOS but all links it shows resolve fine. The certificates I have are used for UTM Management and WAF.

Looking at the logs I see the following after turning the service off and back on...

2021:10:10-09:15:14 utm letsencrypt[9881]: I Create account: creating new Let's Encrypt acccount
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: Incorrect response code from ACME server: 500
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
2021:10:10-09:15:15 utm letsencrypt[9881]: E Create account: failed to create account

Prior to that, an attempt at renewing:

2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: Incorrect response code from ACME server: 500
2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: URL was: acme-v02.api.letsencrypt.org/directory
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: handling CSR REF_CaCsrXXXXLetsEncry for domain set [DOMAINS]
2021:10:10-08:44:02 utm letsencrypt[1020]: E Renew certificate: TOS_UNAVAILABLE: Could not obtain the current version of the Let's Encrypt Terms of Service
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: sending notification WARN-603
2021:10:10-08:44:02 utm letsencrypt[1020]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2021:10:10-08:44:02 utm letsencrypt[1020]: I Renew certificate: execution failed

The UTM has been rebooted, no change. I've turned off Web protection, no change...

Any ideas appreciated.

Thanks!
Parents
  • For my UTM the following steps worked to renew the certificates again:

    - Go to Webserver Protection → Certificate Management → Certificate Authority
    - Delete the ISRG X1-Root CA (so that only the current R3 certificate is present).
    - Renew the certificates.

    This worked even for the subsequent certificate renewals.

    What's still bugging me is that the root certificate is back in store after the first renewal. This means, a wrong X1 root CA is being sent to the clients (check with ssllabs.com/ssltest to verify). With a root certificate that is present, an untrusted certificate chain is supplied (in parallel to the valid one).

  • The problem isn't with CA, but that you can't allow Let's Encrypt certificates.

    2021:10:12-14:05:56 letsencrypt[2400]: I Create account: creating new Let's Encrypt acccount
    2021:10:12-14:05:57 letsencrypt[2400]: E Create account: Incorrect response code from ACME server: 500
    2021:10:12-14:05:57 letsencrypt[2400]: E Create account: URL was: acme-v02.api.letsencrypt.org/directory
    2021:10:12-14:05:57 letsencrypt[2400]: E Create account: TOS_UNAVAILABLE: Failed to retrieve the current Terms of Service URL
    2021:10:12-14:05:59 letsencrypt[2400]: E Create account: failed to create account
  • It appears that the above suggestion worked. I manually deleted the Root CA's (I had a few linked to Lets Encrypt) and now I can enable the Account creation and was able to renew my certs. 

    Two new Root CAs were added back in (CA1 and CA2) to the store.

    Thanks for the support.

  • The correct X1 CA is missing, there are 2 different ISRG Root X1

    Delete:93:­3C:­6D:­DE:­E9:­5C:­9C:­41:­A4:­0F:­9F:­50:­49:­3D:­82:­BE:­03:­AD:­87:­BF

    Add:CA:­BD:­2A:­79:­A1:­07:­6A:­31:­F2:­1D:­25:­36:­35:­CB:­03:­9D:­43:­29:­A5:­E8

    Even if the "wrong" one gets added again after a renew, it keeps working

    The URL acme-v02.api.letsencrypt.org/directory is signed with the correct X1 and the UTM is missing it. Thats the root cause for the account not being created

Reply
  • The correct X1 CA is missing, there are 2 different ISRG Root X1

    Delete:93:­3C:­6D:­DE:­E9:­5C:­9C:­41:­A4:­0F:­9F:­50:­49:­3D:­82:­BE:­03:­AD:­87:­BF

    Add:CA:­BD:­2A:­79:­A1:­07:­6A:­31:­F2:­1D:­25:­36:­35:­CB:­03:­9D:­43:­29:­A5:­E8

    Even if the "wrong" one gets added again after a renew, it keeps working

    The URL acme-v02.api.letsencrypt.org/directory is signed with the correct X1 and the UTM is missing it. Thats the root cause for the account not being created

Children
  • Not sure why you are all still having a problem with this.  My systems received CA:­BD:­2A:­... on 30 September.  All I had to do to get it in place was restart the proxy.  Either disable/enable in WebAdmin or rune the following command as root:

         /var/mdw/scripts/httpproxy restart

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA